From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by mx.groups.io with SMTP id smtpd.web12.5913.1581925869663852726
 for <devel@edk2.groups.io>;
 Sun, 16 Feb 2020 23:51:09 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jian.j.wang@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2020 23:51:07 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,451,1574150400"; 
   d="scan'208";a="258186531"
Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201])
  by fmsmga004.fm.intel.com with ESMTP; 16 Feb 2020 23:51:09 -0800
Received: from fmsmsx155.amr.corp.intel.com (10.18.116.71) by
 FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Sun, 16 Feb 2020 23:51:08 -0800
Received: from shsmsx105.ccr.corp.intel.com (10.239.4.158) by
 FMSMSX155.amr.corp.intel.com (10.18.116.71) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Sun, 16 Feb 2020 23:51:08 -0800
Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.46]) by
 SHSMSX105.ccr.corp.intel.com ([169.254.11.138]) with mapi id 14.03.0439.000;
 Mon, 17 Feb 2020 15:51:06 +0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: Laszlo Ersek <lersek@redhat.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Yao, Jiewen" <jiewen.yao@intel.com>, "Zhang, Chao B"
	<chao.b.zhang@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler
Thread-Topic: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in
 DxeImageVerificationHandler
Thread-Index: AQHV5Wa/bz32+K5iwU2LHvt+8eGu2agfAwQw
Date: Mon, 17 Feb 2020 07:51:06 +0000
Message-ID: <D827630B58408649ACB04F44C510003625A10246@SHSMSX107.ccr.corp.intel.com>
References: <20200214072745.1570-1-jian.j.wang@intel.com>
 <9c8b47c7-765a-6064-49c3-a0a9578ccba6@redhat.com>
In-Reply-To: <9c8b47c7-765a-6064-49c3-a0a9578ccba6@redhat.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZmZmN2Y2OTEtMjRlYy00NmYzLWFmOWItNzc0MWE0MDJmYTg3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoibDBmNTk2TFZzWG9IdEl1ZUQ5T2pVbU5ESUlsbURDTmw3cXFIV3pCVldCa0Z5bWphSkxpYzdqV1N6Wmd0bUF0eCJ9
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jian.j.wang@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Laszlo,

> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Monday, February 17, 2020 3:49 PM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in
> DxeImageVerificationHandler
>=20
> On 02/14/20 08:27, Wang, Jian J wrote:
> >> v2 changes:
> >>    - Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 1=
0)
> >>    - Update result handling to all calling to IsCertHashFoundInDatabas=
e
> >>      to be consistent (patch 6)
> >>    - Fix commit message and title length issue caught by PatchCheck to=
ol
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608
> > Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-
> blacklist-check-via-signature-v2
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Chao Zhang <chao.b.zhang@intel.com>
> >
> > Jian J Wang (9):
> >   SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber=3D=
=3D0
> >     per DBX(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in
> >     IsAllowedByDb(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching
> >     dbx(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching
> >     code(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: Differentiate error/search resul=
t
> >     (1)(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: tighten default
> >     result(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: Differentiate error/search resul=
t
> >     (2)(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase
> >     name(CVE-2019-14575)
> >
> > Laszlo Ersek (1):
> >   SecurityPkg/DxeImageVerificationLib: plug Data leak in
> >     IsForbiddenByDbx()(CVE-2019-14575)
> >
> >  .../DxeImageVerificationLib.c                 | 291 ++++++++++++------
> >  1 file changed, 198 insertions(+), 93 deletions(-)
> >
>=20
> Please put a space character in all the subject lines before the
> "(CVE-2019-14575)" part.
>=20

Ok, it'll be added before pushing.

Regards,
Jian
> Thanks
> Laszlo